Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Callout we put in CModule is called randomly #805

Open
hillelpinto opened this issue Jun 24, 2024 · 0 comments
Open

Callout we put in CModule is called randomly #805

hillelpinto opened this issue Jun 24, 2024 · 0 comments

Comments

@hillelpinto
Copy link
Contributor

hillelpinto commented Jun 24, 2024
edited
Loading

@oleavr

Using the attached code, we want to emit a callout every CMP instruction executed, when the first CMP instruction is encountered all works fine and the callout is indeed executed but after the first execution it keeps executing on every instruction without being correctly filtered by the if condition

Screenshot of output of the callout, proving that it's been called on other instruction than CMP

image

The code to reproduce the issue is the following:

var module = Process.enumerateModules()[0]
var mem = Memory.alloc(16);
var appStart = parseInt(module.base, 16);
var ptrToAppStart = mem.writeU64(appStart);
var mem2 = Memory.alloc(16);
var appEnd = appStart + parseInt(module.size,10);
var ptrToAppEnd = mem2.writeU64(appEnd);

const cm = new CModule(`
#include <gum/gumstalker.h>
#include <gum/gummemory.h>
#include <capstone.h>
extern void logging (gchar *message);
extern guint64 *ptrToAppStart ;
extern guint64 *ptrToAppEnd ;
static void log (const gchar * format,...)
{
gchar * message;
va_list args;

va_start (args, format);
message = g_strdup_vprintf (format, args);
va_end (args);

logging(message);

g_free (message);

}

static void on_cmp_wrapper(GumCpuContext * cpu_context, gpointer user_data) {
cs_insn * insn = (cs_insn *)user_data;
log("Got as instruction ID: %d", insn->id);
}

void transform (GumStalkerIterator * iterator,
GumStalkerOutput * output,
gpointer user_data)
{

cs_insn * insn;

while (gum_stalker_iterator_next (iterator, &insn))
{

  gum_stalker_iterator_keep (iterator);
 if (insn->id == X86_INS_CMP && (gpointer)insn->address > ptrToAppStart && (gpointer)insn->address < ptrToAppEnd)
 {

      gum_stalker_iterator_put_callout (iterator,
       on_cmp_wrapper, insn, NULL);

 }

}
}

`,
{
ptrToAppStart, ptrToAppEnd,
logging: new NativeCallback((msg) => {
console.log(msg.readCString());
}, 'void', ['pointer'])

}
);

Stalker.follow(
Process.enumerateThreads()[0].id,
{
transform: cm.transform
}
);

The exe targeted will be attached to the issue
helloworld.zip
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hillelpinto